DE602004013244T2 - High-speed synchronization in a dual-computer-based safety controller - Google Patents

Description

GENERAL PRIOR ART

The The present invention relates to industrial controls suitable for Real-time control of industrial processes are used, and in particular industrial controls with "high Reliability "or" safety "for use are suitable in devices that human life and the Protect health should.

industrial Controllers are special computers used in industrial control Processes are used. Under the guidance of a saved controlled program examines an industrial control one Set of inputs reflecting the state of the controlled process and changing one Series of issues controlling the industrial process. The inputs and expenses can be binary this means on or off, or analogue, creating a value in a substantially continuous Area is provided. The inputs can be controlled from the Process connected sensors are received, and the outputs can Signals for Be actuators on the controlled process.

"Security systems" are systems that the safety of in the environment of an industrial process ensure working people. Such systems can Electronics include those with emergency shutters, light curtains and others Machine shutdown is associated. Traditionally, security systems have been implemented by a lot of redundant circuits, that of the industrial control system are separated, with which the industrial Process is controlled, associated with the security system is. Such security systems were "hardwired" from switches and Relays, including specialized "safety relay" that makes a comparison redundant signals and internal testing of fault conditions, such as ensuring welded or stuck contacts.

Hardwired Security systems that use duplicated wiring have in practice due to the difficulty of installing and Connecting hardwired components and duplicated sets of wiring especially in complex control applications and partly due to the difficulty in problem solving and Maintenance in a hardwired system whose logic is only through Rewiring changed can be as cumbersome proved.

Out This reason is considerable Interest in the development of industrial controls has emerged implement the security systems using programs can, the hard-wired the functioning of the physical components Simulate security systems. Industrial controllers are not only easier to program, but can reduce installation costs to disposal put by big ones Sections of redundant wiring in favor of a fast serial Communication network, and by improving Troubleshooting skills to disposal be put.

Height reliability let yourself in an industrial control system by using two achieve industrial controls that simultaneously control the same execute and compare their operations to detect errors. A procedure to compare the execution between two processors stops the execution of Statements of the program at the end of each statement, with the input variables used by the instruction in each processor and comparing the calculated output variables. Each processor transmits then compare these values to each other and then compare their own values with the transmitted to him. The processor is running then with the next Instruction continues, and this process is repeated.

One Disadvantage of this approach is that it reduces the execution speed the program significantly reduced and thus safety programs limited to relatively simple operations, or those that no fast response times or multitasking with other programs require.

Out US 2003/05 1203 A1 a safety controller having a first and a second communicating on a communication bus processing unit is known, each containing a processor and a memory, wherein the memory of the first and second processing units are each loadable with a common safety program and input / output variables, wherein the safety program repeats executable to read inputs from input variables representing the externally controlled devices and to write outputs to output variables representative of the externally controlled devices; a coordinator program providing the first and second processing units with identical input variables at a predetermined point in the repetitive execution of the common safety programs; a synchronization program executable by the first and second processing units for executing the common security programs and for comparing the execution of the common security programs and for entering a security state when this embodiment is under separates. This known security control simply uses a cross comparison of the transmission of data on a communication link. That is, if no messages are delivered, which could occur during the execution of a program, nothing is checked at all.

US-A-4,430,899 discloses a distributed data processing system, that is, a processing system in which various parts of the data processing task are undertaken by different components. Redundancy is discussed in this document only in the context of message transmission.

SUMMARY OF THE INVENTION

The The present invention becomes significant with redundant processing faster execution of security programs available by comparing the program execution only on output variable and only on the completion of multiple instructions limited becomes.

Intermediate variable, the no issues available but can be determined by the safety program, can be less often be compared. The comparison of input variables can be avoided by simply changing the input variable from a common Control copied. In this way, the execution speed of the redundant Programs significantly enlarged.

More accurate said, the present invention thus provides a safety control with a first and a second processing unit available, the communicate on a communication bus, each processing unit a processor and a memory, wherein the memory of the first and second processing units with a common Safety program and input / output variables can be loaded, wherein the safety program is repeatedly executed to input variables that read inputs from externally controlled devices, and to write output variables that are outsourced to external output Represent devices. A coordinator program provides each the first and second processing units at a predetermined point in the repeated execution of the common safety program with identical input variables. A synchronization program executed by the first and second processing units does that common safety program and compares the execution of the common security programs and enters a security state one, if this execution different.

A The object of the invention is thus, the execution speed redundant Programs that are compared to each other can be significantly increased by: the comparison of input variables eliminates and simply all input variables to be copied to each processing unit.

Of the Comparison can be made at a single point in the repeated execution of the common safety program, for example at the end of the common safety program.

Consequently It is another object of the invention to provide speed enhancements to disposal by eliminating the inefficiency that comes with a line by line comparison of the execution of the Program.

The Synchronization program can be the execution of the safety program by comparing by the first and second processing units, who execute the safety program, compare output costs.

A Another object of the invention is thus the improvement of the execution speed redundant engineered Security programs by limiting the comparison of expenses to a single point.

The Safety program is also executed to set values of internal variables that are not directly output to an external device, and the synchronization program can be the execution of the safety program by comparing values of these internal variables.

A Another object of the invention is thus a method for determining potential differences in the execution of these programs, the possibly not reflected in the output variables available to put.

Of the Comparison of internal variables can be done with a period the bigger than that Repetition period is.

A Another object of the invention is thus the distinction between Variable types and changing the periodicity of the comparison, the importance of these variables and the probability that they reflect fundamental errors, to correspond.

The coordination program may stop the execution of the common safety program at the predetermined point in the repetitive execution of the common safety program until the common safety program identical input variables were supplied.

A Another object of the invention is therefore synchronization the execution ensure the programs at periodic points and further at points where the program must be stopped, such as Example for the synchronization of the input variables. The coordination of Input variables can be enabled be by the input variable from the first processing unit copied to the second processing unit.

Of the first processor may contain a buffer that is asynchronous Input variable receives, and the coordination program may store the buffer at the predetermined Point identical to the input values of the other processing units copy.

A Another object of the invention is therefore to allow that input variables continue to accumulate asynchronously while the Input variables among the processors are coordinated.

The Synchronization can combine the output variable when the execution of the common safety program is not different to one single set of output variables transferable to the controller to produce.

A Another object of the invention is thus the provision a compact set of output variables for secure transfer of data to the Output device.

The Combination can generate a message that has an output variable that matches the value of the complemented output variable is chained.

A Another object of the invention is thus to enable a combined Output message that also resists falsification during transmission.

BRIEF DESCRIPTION OF THE FIGURES

1 Figure 4 is a simplified perspective view of a dual control system suitable for use with the present invention having primary and partner controllers communicating on a backplane and a programmer communicating on a dedicated interface with the primary controller;

2 is an electrical schematic diagram of the primary and partner control of 1 ;

3 is a logical representation of the primary and secondary controllers of 2 showing the allocation of security tasks and standard tasks;

4 Figure 12 is an illustration of a processing unit suitable for the primary and partner controllers, showing a processor with a memory protection unit and associated memory;

5 Fig. 10 is a flowchart of a transfer program executed in the primary controller for receiving programming instructions and data;

6 is a functional diagram of one of the primary and partner controllers of 3 operating system used, such as providing a task list for scheduling tasks, the task list indicating whether the task is a security or standard task;

7 Figure 11 is a flow chart of the execution of the security task on the primary and partner controllers;

8th is a flow chart similar to the one in 7 showing the execution of a standard task on the primary and partner controls;

9 is a representation of two regularly scheduled tasks for checking memory latches and comparing variables between the primary and partner controllers;

10 is a data flow diagram of the synchronization of input data according to a step of 7 using a two-stage buffer to ensure uniformity of asynchronous input values;

11 is a simplified view of 3 demonstrating the effect of asymmetric loading of standard and safety program information in preventing falsification of standard program information by the safety program; and

12 is a figure similar to that of 11 , which shows the effect of asymmetrically loading standard and safety program information while preventing the standard program undetectively modifying safety program information.

DETAILED DESCRIPTION OF THE PREFERRED Embodiment

systems with high Reliability "and" security "are the ones protect against the spread of erroneous data or signals by: Error or failure states be detected and their occurrence and / or entering a predetermined failure state is signaled. Systems with high reliability can high availability systems who are trying to find a specific degree of failure operational to stay. However, the present invention can be used in both systems useful Therefore, in the present use, it should be high in reliability and security not as high availability systems, the security operation to disposal make, excluding to be viewed as.

Regarding 1 provides a dual control security system 10 , which is suitable for use with the present invention, a chassis 12 available, in which a lot of control modules 14 according to the needs of the specific tax application. Each of the modules 14 holds an electrical connector on its back side (not shown) 24 ready with an appropriate connector 24 ' on the front of a rear wall of the chassis 12 forming backplane 26 can be connected. The connectors 24 ' are connected by conductive tracks, so that modules 14 free in the chassis 12 can be inserted to the backplane according to methods known in the art 26 to be connected to each other.

The control modules 14 can generally be a power supply 16 , a network module 20 and one or more modules 22 for input / output (I / O), a primary controller 18a and a partner control 18b include.

The power supply 16 can be via power conductors of the backplane 26 a source of regulated power for the other modules 14 make available while the network module 20 a connection between communication conductors of the backplane 26 and a fast serial network 34 , such as an Ethernet or the like. The network 34 with a remote chassis (not shown) 12 ' and other modules 14 can communicate, including I / O modules 22 and other controls 18 , The backplane 26 and the network 34 (and interfaces to) both can support a security protocol, such as that described in the above-referenced U.S. Patent Application 60 / 373,592 ( US-A-2003 020 8283 ).

The I / O modules 22 can with different sensors and actuators 44a and 44b at a controlled process 40 communicate. The controlled process 40 can be standard processes 42 include, such as those of the control of factories or the like, and security processes 46 which relate to a safety application, the sensors and actuators 44a the ones with the standard processes 42 associated and the sensors and actuators 44b the ones with the security processes 46 are associated. As will be described later, the dual control safety system allows 10 the execution of both safety control and standard control programs that share some of the same hardware.

The primary controller 18a and the partner control 18b each provide at least one independent processor and memory for executing a control program. Independent does not require that the processor and memory are physically separate, although this is preferred. In the preferred embodiment, the primary controls are 18a and the secondary controller 18b contained in separate enclosures, each independent of the backplane 26 can be connected. In this case contains the primary controller 18a according to conventions known in the art a key switch 28 that enables it, the primary controller 18a in a "run" or "program" mode or other states that are desirably manually controlled. The primary controller 18a also includes a serial communication port 30 such as an RS-232 port that allows it to connect directly to a programming terminal 32 to communicate. The programming terminal 32 may include standard programming tools modified for the present application, as will be described below.

The secondary controller does not contain the key switch 28 still the communication port 30 and may have other cost-saving workloads.

As an alternative, the primary controller 18a and the partner control 18b be housed in a housing, as long as the independence of the internal processing units to be described is maintained. As an alternative, the primary controller may be 18a and the partner control 18b in separate racks 12 which are connected by a fast serial connection.

Now referring to 2 can be the primary controller 18a an interface circuit 50 included over the connector 24 with the backplane 26 communicates, and an interface scarf tung 52 that with the port 30 communicates, both through an internal bus 54 with a processing unit 56 is connected. Both of the interface circuits 50 or 52 can be used to receive programming information from the in 1 shown programming terminal 32 can be used, and the interface circuit 50 can be used for communication between the primary controller 18a and the partner control 18b or any of the other modules used to convey safety data, safety program information, or other signals, as will be described.

The internal bus 54 is also on the key switch 28 connected, so the key switch 28 (as well as each of the key circuits 50 or 52 ) by the processing unit 56 can be monitored.

The processing unit 56 contains a processor 58 and a memory 60 , where the processor 58 directly by means of one of the internal bus 54 with the memory 60 separate memory bus 57 with the memory 60 communicated. Multiple processors can also be used. Memory can be a combination of volatile and non-volatile memory. In a multiprocessor system, each processor may have its own memory as well as shared memory. The memory 60 holds programs for an operating system and for a number of control tasks, called either security tasks or standard tasks. The operating system allows tasks to be scheduled such that each task is executed in its entirety before the next task is called. However, other conventional operating systems may be used. The memory 60 also holds I / O data from the I / O modules 22 be received and sent there. In addition, the memory contains 60 a fixed identification number 62 indicating that he is part of a primary controller 18a and is suitable for performing standard and security tasks and communicating directly with a user and stored in nonvolatile memory.

The partner control 18b is the primary controller 18a similar, but has a reduced part count, which makes the interface circuit 52 and the key switch 28 be omitted, but an interface circuit 50 , a processor 58 and a memory 60 all of which are the primary controller 18a are similar, to be provided. An important exception is that the partner control 18b in their memory an identification number 66 who states that she is a partner controller 18b is alone inoperable or performing standard tasks. The memory 60 the partner control 18b also holds programs for an operating system and only for a number of security control tasks. Collectively put those from the stores 60 the primary controller 18a and the partner control 18b A number of system programs are kept available to programs, including a transfer and synchronization program, as will be described below. As will be appreciated in the art, the division of the following program functions may be between the primary controller 18a and the partner control 18b or between tasks and the operating system as long as the functions described are maintained.

A typical I / O module 22 or network module 20 can be a first interface circuit 50 via the internal bus 54 with the processing unit 56 communicates, and second interface circuits 61 to provide I / O signals or communication signals as described.

Now referring to 1 and 3 a user can use the programming terminal 32 operate to a set of program instructions 70 entered here as rungs in a ladder logic program of a type well known in the art. The instructions can become a task together 72 can be grouped, which is a set of instructions that are logically executed together and that can be classified according to the operating system implementing multitask scheduling in a manner well known in the art generally. Each of the instructions 70 contains variable 76 , which represent input and output values, generally the states of sensors and actuators 44a and 44b or internal program values. This variable 76 can have initial values that match the task 72 to be recorded.

The Instructions may contain "security instructions" for security applications are specific that are executed only within a security task can.

During the generation of the task 72 calls a programming tool on the programmer 32 the user on, each of the variables 76 as a security variable or a standard variable and the task 72 to identify either as a security task or as a standard task. This status becomes a task 72 holding file 73 as a security identifier associated with the task 78 and variable scoping identifiers 80 in the variable definition part of the file 73 embedded. Note that the present invention is a tagging of variables 76 entwe the one in a security task 72 or a standard task 72 either as a standard variable 76 or as a security variable 76 allows. A standard-draft compiler implements this variable isolation, allowing standard tasks 72 the security variable 76 read, but can not describe, and security tasks 72 the default variable 76 can neither read nor describe. Additional hardware and architecture support for this scoping will also be provided as will be described below.

Now referring to 3 performs the primary control 18a both with standard processes 42 associated standard tasks 72a as well as with security processes 46 associated security tasks 72b using a single, time-division processing unit 56 out.

In this regard, the primary control holds 18a both standard data 76a as well as safety data 76b in the same, the processor 58 accessible physical memory 60 but in different regions 84 of the memory 60 in a region 84a for standard data 76a is reserved, and in a region 84b for safety data 76b is reserved, as will be described. As will be described, in order to provide hardware variable scoping, certain of the standard variables 76a from the region 84a as by the arrow 77 also indicated in the for security variable 76 allocated region 84b be copied.

The partner control 18b contains only the security tasks 72b and the safety data 76b in the physical memory 60 including the copied values of the standard data 76a as described.

Now referring to 4 includes the processor 58 both the primary controller 18a as well as the partner control 18b a memory protection unit (MPU) 81 of a type known in the art. The MPU ( 81 ) controls access by the processor 58 on the memory 60 over the memory bus 57 by using in the circuits of the processor 58 integrated hardware. In general, the MPU uses 81 a list of internal registers 82 in region 84 of the entries 85 of the memory 60 , which can be flexibly defined, and each region is identified either as a read / write region (R / W), indicating that the region is from the processor 58 read or write, or as a read-only region (R), indicating that the data of that region is from the processor 58 can only be read, or as unused, as indicated by an (X), indicating that this memory must neither be written nor read. Originally, the entire store 60 as indicated by the (X) area marked neither read nor write. Access to the memory is controlled by hardware that physically prevents read or write according to the register settings.

Now referring to 5 and 1 when a control program that consists of a number of tasks 72 It can be completed by the programming terminal 32 or another source using the port 30 or the network 34 only in the primary controller 18a of the dual control safety system 10 be downloaded. The programming terminal 32 identifies the primary controller 18a by means of the identification number 62 that in the store 60 the primary controller 18a is included and opens a connection with this primary controller 18a , The primary controller 18a must be like the key switch 28 or from the programming terminal 32 specified in programming mode.

Also with respect to 6 will be any task at this time 72 into a task queue 86 loaded by the operating system 73a the primary controller 18a is used to any task 72 classify using execution techniques well known in the art of operating system multitasking. The task queue 86 indicates that the task 72 is a standard task or a safety task. A transfer program 90 in the primary control 18a identifies each task 72 as a security task or standard task in the decision block 92 based on the security identifier 78 ,

The transfer program 90 in the primary control 18a then receives each task 72 to download. If the task 72 a standard task is then in the process block 94 a region 84a of the memory 60 in the primary control 18a deleted, and it gets in the process block 96 the task in this region 84a loaded. In the present invention, the regions 84a initially in the registry 82 for the MPU 81 marked as read or write.

Again with respect to 5 tries the primary controller 18a at the process block 98 if in the decision block 92 the task received is a security task, to confirm that it is a partner control 18b There is a connection between the primary controller 18a and the partner control 18b is made by making necessary connections in the backplane 26 or in the network 34 (for remote controls 18 ), which confirms that the partners control 18b works and has the necessary operating system 73b and not otherwise with a different primary controller 18a connected is. The confirmation process of block 98 works with a corresponding process block 100 in the partner control 18b ,

When partnership is verified, every control draws 18a and 18b this relationship and the partner control 18b occurs in one of the task queues 86 similar task queue in the security task 72b one. Unlike the task queue 86 Contains the task queue of the partner control 18b however, only security tasks, and the operating system 73b shares security tasks only in response to those of the operating system 73a followed schedule. For real-time control, in general, every security task 72b and standard task 72a is divided so as to be repeatedly executed with not less than a predetermined period to provide an appropriate response time necessary for control applications.

In the in the primary control 18a or partner control 18b executed subsequent process blocks 102 and 104 become the regions 84b in the store 60 each in the primary controller 18a and in partner control 18b for receiving the security task 72b deleted. The regions 84b are initially in the registry 82 for the MPU 81 the primary controller 18a and the partner control 18b marked as read only.

In that in the primary controller 18a or partner control 18b executed process block 106 and 108 becomes the safety task 72b from the programming terminal 32 in the primary control 18a accepted and as by the arrow 110 indicated to the partner control 18b forwarded to the partner control 18b over the process block 108 to be accepted, with an acknowledgment signal 112 answers that indicates the task 72b was received correctly and is complete and correct. In general, the safety task becomes 72b transferred in parts, and these process blocks 106 and 108 as through the next loop of the process block 114 for the primary controller 18a and 116 for partner control 18b indicated repeatedly until all parts have been transferred.

After the security task 72b completely in the primary controller 18a received and without error to the partner control 18b has been transferred, the transfer program is as through the process block 118 indicated ready and waiting for a possible loading of an additional task. Any errors in these blocks will cause the user to report an error condition and prevent the safety program from running.

As a result of the transfer process, those are in the primary control 18a and the secondary controller 18b Therefore, if the user has to upload the tasks, this can only be done by communicating with the primary controller 18a be achieved as it happens in a conventional control. A similar procedure is used for program parts that describe incremental online editing of tasks, that is, the user communicates with the primary controller 18a and the editing information is provided by the primary controller 18a to the secondary controller 18b forwarded.

Now referring to 7 can after the completion of loading the necessary standard tasks 72a and security tasks 72b the dual control security system 10 into a "Run" mode, for example by using the in 1 shown key switch 28 who received this condition through a message on the backplane 26 whose transmission by the in the primary control 18a executed process block 120 displayed and its receipt by the in the partner control 18b executed process block 122 is specified to the partner control 18b transmitted.

In one by the operating system 73a the primary controller 18a executed first process block 124 shares the primary control 18a either a security task 72b or a standard task 72a for execution. In general, the operating system follows 73b the partner control 18b the classification by the primary controller 18a and has less features than the operating system 73a provide.

Assuming that via the task selection block 124 a security task 72b is selected, the operating system starts 73a a synchronization program 121 starting with the forwarding of a message 172 to the operating system 73b the partner control 18b indicating that performing a security task 72b imminent, so the operating system 73b This task 72b like through the process block 126 specified in its task queue 86 Can be found.

The operating system 73a and 73b then moves to the following process blocks 128 respectively. 130 in which the registers 82 the MPUs 81 for the storage region 84b that the tasks 72b and her variable 76 keeps being checked, to make sure that these regions 84b correctly in read-only mode. If the regions 84b the memory 60 not in read-only mode, this indicates a problem with the previous lock of the memory upon completion of a security task, and an error is generated and further execution is suspended until the user corrects the problem.

If the lock check of the process blocks 128 and 130 indicates that the regions 84b locked (eg in read only status), the regions become 84b unlocked (eg transferred to read / write status), and the operating systems 73a and 73b drive with the process blocks 132 respectively. 134 continued. This unlocking step could alternatively be performed by the security task itself as a first step, as long as the task execution is not interrupted by the operating system.

In these process blocks, the inputs for the safety tasks 72b , the input values of the security variables 76 represent, respectively for the primary controls 18a and the partner control 18b synchronized.

With temporary reference to 10 generally become input variables 76b solely through the primary controller 18a asynchronous through the interface circuit 50 received to that as part of the memory 60 formed asynchronous buffer 140 to be held. This buffer 140 may be ordered in an orderly manner asynchronously with the tasking by the operating system 73a or replicate on a random basis according to changes in the input variables 76 That involves a transmission of messages to the primary controller 18a trigger, fill up. In the present invention, it is necessary that the input variable 76 as identical copies in the stores 60 the primary controller 18a and the partner control 18b exist. This synchronization is achieved by an orderly read out of the buffer 140 at the same time in the clean buffers 142 and 144 in the primary controls 18a or partner control 18b during the process blocks 132 and 134 reached. In this process, all input data flows from the primary controller 18a to the partner control 18b so as to eliminate any possibility of having different input variables 76 in the controls 18a and 18b would be as it might occur if the input variable 76 directly to the primary controller 18a and the partner control 18b were transmitted separately.

The same procedure allows to "force" inputs between the primary controller 18a and the secondary controller 18b are synchronized. The primary controller 18a puts the forced entries in the buffer 140 with a label to prevent them from being overwritten, and the forced entry naturally becomes the secondary controller 18b transmitted.

Again with respect to 7 run the operating systems 73a and 73b after the completion of the synchronization of inputs, as by the process blocks 146 and 148 specified the security tasks 72b without further synchronization independent in the primary control 18a or in the partner control 18b out. This ensures an extremely fast execution of the security tasks 72a without too much communication delays.

In the following process blocks 150 and 152 in the primary control 18a or partner control 18b sends the primary controller 18a their output variable to the partner controller 18b , and the partner control 18b sends its output variable to the primary controller 18a in a cross-comparison process. The primary controller 18a and the partner control 18b then compare their own output values with those calculated by the other controller. If there is an error, a safety state is entered, otherwise the primary control will step 18a and the partner control 18b in each case to the respective process blocks 154 and 156 in which they produce a combined output value suitable for transmission over the network 134 or the backplane 76 determined according to a high reliability protocol. As is known in the art, the security state invokes a set of predefined output values and terminates the operation of the control process by notifying the operator of an error.

In the present invention, a series of combined data words are generated which provide a convenient block of through the primary controller 18a calculated output values and a through the partner control 18b calculated complement of the same output values.

After the completion of the process blocks 154 and 156 described generation of the output word is the safety task 72b completed, and the operating system locks the region 84b of the memory 60 again in read-only mode, as through the process blocks 158 and 160 and advances as scheduled to the next task. Alternatively, the lock could be performed by the final step of the safety task itself, as long as the task execution is not interrupted by the operating system.

If related to 6 and 8th in the process block 124 from 7 the task selection block is a standard task 72a selects, the operating system starts 73a easy with the execution of this task on the primary controller 18a by like through the process block 162 display the input variable 76 to be read. The through the process block 164 specified execution of the standard task and the transfer of output values, as by process block 166 specified. Each of these steps is well known in the art. The partner control 18b does not perform the standard task, but waits for another security task. As described, the transfer of expenses does not have to comply with the security protocol.

Again with respect to 9 can now the operating system 73a and 73b the primary controller 18a and the partner control 18b periodically perform two additional standard tasks, once every few hours. This through the process block 170 The first task specified is a standard task that tries to get data out of everyone through the task queue 86 to write the identified security task. If the writing is unsuccessful, for example by creating an exception, the task is successfully completed. Otherwise, if the write is successful, a security state can be invoked and an error reported to the user because the memory lock was not established.

The second task 172 provides a comparison of the internal security variables at periodic intervals 76b that contain neither input nor output of standard processes 42 and 46 form, between the primary controller 18a and the partner control 18b to verify that they are actually identical, even though the output variable may not deviate at all between performing the security tasks 72a demonstrate. The variables to be compared are buffered while the execution of other tasks is stopped.

Now referring to 11 is software scoping of variables between the security task 72b and the standard tasks 72a complemented by the architecture of the present invention. If, for example, the security tasks 72b in the primary control 18a and in partner control 18b try to storage areas 82a that with the standard tasks 72a and standard variables 76a are associated, read or describe the safety task 72b in the partner control 18b will not be able to access the address in the partner control 18b will not exist. This failure either results in an exception when reading an erroneous value, or results in a discrepancy between the tasks 72b retrieved values, producing an error in their final outputs. When in both the primary controller 18a as well as in the partner control 18b Default task information, such a failure would operate symmetrically and might not be detected.

Regarding 12 is reversed if a standard task 72a tried out of the storage regions 82b , the security tasks 72b or security variable 76b holding, writing, blocking this by the MPU, or if she writes successfully, she only writes in the one with the primary controller 18a associated region 82b and not in the partner control 18b associated region 82b , Again, this asymmetric writing leads to a change in only one of the programs 72b that cause a difference in the in the block 150 and 152 from 7 results in compared output variables.

The The present invention may be part of a "safety system" with which the human lives and body parts protected in the industrial environment. The one used here Nonetheless, the term "security" is no representation, that the present invention safe an industrial process or that other systems produce unsafe operation become. The safety in an industrial process depends on diverse Factors outside the scope of the present invention, including: Draft of Security system, installation and maintenance of the components of the Security system and participation and training of individuals who use the security system. Although the present invention is intended for this purpose is, highly reliable To be, all physical systems are prone to failures, and precautions must be taken be taken in the event of such a failure.

Especially It is intended that the present invention not be limited to those herein contained embodiments and representations is restricted, but comprises modified forms of those embodiments, the parts the embodiments and combinations of elements of various embodiments included within the scope of the present claims.

In short, a safety controller executes a control program in two processing units to detect a processor failure by comparing the execution in each unit. This comparison is done quickly by synchronizing the input variables at the beginning of the task and comparing output variables at the completion of the task, thereby avoiding a line by line comparison of input and output variables. Intermediate variable that neither input nor output are variable, are compared in a less frequent interval.

Key to the figures

1

• 78 - SAFETY TASK 1
• 101 - FOR SURE
• 211 - DEFAULT
• 70 - INSTRUCTIONS

3

• INPUT INPUT
• INTERNAL - INTERN
• OUTPUT OUTPUT

5

• 92 - SAFETY TASK?
• YES YES
• NO - NO
• 94 - CLEAR MEMORY
• 96 - ACCEPT THE TASK
• 98 - CONFIRM PARTNERSHIP AS PRIMARY
• 100 - CONFIRM PARTNERSHIP AS A PARTNER
• 102 - CLEAR MEMORY
• 104 - CLEAR MEMORY
• 106 - ACCEPT THE TASK
• 108 - ACCEPT THE TASK
• 114 - NEXT
• 116 - NEXT
• 118 - FINISHED

6

• 72b - SAFETY
• 72a - DEFAULT

7

• 124 - TASK SELECTION
• 126 - COMPARISON TASK
• 128 - LOCK TEST, UNLOCK MEMORY
• 130 - LOCK TEST, UNLOCK MEMORY
• 132 - SYNCHRONIZE INPUTS
• 134 - RECEIVED INPUTS
• 146 - EXECUTE SAFETY TASKS
• 148 - EXECUTE SAFETY TASKS
• 150 - CROSS-BALANCE OF EXPENDITURE
• 152 - CROSS-BALANCE OF EXPENDITURE
• 154 - GENERATE COMBINED OUTPUT
• 156 - GENERATE COMBINED OUTPUT
• 158 - LOCK MEMORY
• 160 - LOCK MEMORY

8th

• 162 - READ INPUT
• 164 - EXECUTE STANDARD DUTIES
• 166 - SEND EXPENSES

9

• 170 - WRITE IN LOCKED MEMORY
• 172 - COMPARE INTERNAL VARIABLES

Claims (14)

Method for operating a safety controller with a first and a second processing unit ( 18a . 18b ), each of which has a processor ( 58 ) and a memory ( 60 ), wherein in the memory of each of the first and second processing units ( 18a . 18b ) a shared safety program and input / output variables can be loaded, the safety program being repeatedly executable to read input variables representing inputs from externally controlled devices ( 40 ), and to write intermediate variables which are not addressed to external controlled devices ( 40 ) and to write output variables which output to externally controlled devices ( 40 ), characterized in that the method comprises the following steps: - execution of the common safety program on the first and second processing units ( 18a . 18b ) and comparing the execution of the common security programs and entering a security status if that execution differs; Synchronizing the input variables at the beginning of a task and comparing the output variables when completing a task; Comparing intermediate variables which are neither input variables nor output variables, in a less frequent interval; Limiting the comparison of the program execution only to the output variables and only at the conclusion of multiple instructions in order to achieve a faster execution of the safety program; - distinguishing between the types of variables and changing the periodicity of the comparison, taking into account the importance of these variables and the likelihood that they reflect fundamental errors; and adapting a coordinator program to provide each of the first and second processing units with identical input variables at a given point in the repeated execution of the common safety program. The method of claim 1, comprising additional process step: providing each of the first and second processing units with identical input variables at a predetermined point in the repetitive execution of the common safety programs. The method of claim 1, wherein the identical Input variables only at a single point in the repeated execution common safety programs. The method of claim 1, wherein the predetermined Point in the repeated execution of the common safety program the launch of the common safety programs is. The method of claim 2, wherein output variables are defined by the first and second processing units ( 18a . 18b ), which execute the safety program, are generated during execution of the safety program. Method according to claim 5, comprising the additional method steps: - repeated execution of the safety program - execution of the common safety programs by the first and second processing units ( 18a . 18b ) and comparing the execution of the common security programs; and if this embodiment differs, inputting a security status at the completion of each repeated execution immediately before outputting the output variable to the externally controlled device ( 40 ). The method of claim 2, comprising the additional steps of: - the safety program generating values of internal variables other than the input and output variables; Execution of the common safety programs by the first and second processing units ( 18a . 18b ) and comparing the execution of the common security programs; - entering a security status if this execution differs; and - comparing the execution of the security program by comparing values of the internal variables generated by the first and second processing units executing the security program. The method of claim 7, comprising the additional Steps: - repeated To run of the safety program and Compare the execution of the Safety program corresponding to a period greater than the Repetition period is. The method of claim 2, comprising the additional ones Steps: - To stop the execution of the common safety program at the given point in the repeated execution of the common safety program until the identical input variables the common safety programs have been made available. Method according to claim 2, comprising the additional method steps: - copying the input variables from the first processing unit into the second processing unit ( 18a . 18b ) to provide identical input variables. The method of claim 2, comprising the additional steps of: - asynchronously receiving input variables in a buffer memory of the first processing unit, and - providing each of the first and second processing units ( 18a . 18b ) with identical variables at a given point in the repetitive execution of the common safety program by copying the buffer into the memory of each of the processing units. The method of claim 1, comprising the additional steps of: combining the output variables if the execution of the common safety program does not differ to produce a single set of output variables associated with the controlled device ( 40 ) are transferable. The method of claim 12, wherein the combining operation a message that generates one with the value of the output variable chained output variable is complemented. Method according to claim 1, comprising the additional method steps: - comparing the outputs generated by the first and second processing unit executing the safety program ( 18a . 18b ) at the completion of each repeated execution just prior to the output of the output values to the external controlled device.